Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/pownjs/duct

Essential tool for finding blind injection attacks.
https://github.com/pownjs/duct

Last synced: 3 months ago
JSON representation

Essential tool for finding blind injection attacks.

Host: GitHub
URL: https://github.com/pownjs/duct
Owner: pownjs
License: mit
Created: 2019-02-04T09:56:57.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2019-02-06T05:19:31.000Z (over 5 years ago)
Last Synced: 2024-07-29T17:12:09.202Z (3 months ago)
Language: JavaScript
Homepage:
Size: 31.3 KB
Stars: 51
Watchers: 8
Forks: 13
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - pownjs/duct - Essential tool for finding blind injection attacks. (JavaScript)

README

        [![Follow on Twitter](https://img.shields.io/twitter/follow/pownjs.svg?logo=twitter)](https://twitter.com/pownjs)

[![NPM](https://img.shields.io/npm/v/@pown/duct.svg)](https://www.npmjs.com/package/@pown/duct)

[![Fury](https://img.shields.io/badge/version-2x%20Fury-red.svg)](https://github.com/pownjs/lobby)

# Pown Duct

Essential tool for finding blind injection attacks using DNS side-channels.

## Credits

This tool is part of [secapps.com](https://secapps.com) open-source initiative.

```

  ___ ___ ___   _   ___ ___  ___

 / __| __/ __| /_\ | _ \ _ \/ __|

 \__ \ _| (__ / _ \|  _/  _/\__ \

 |___/___\___/_/ \_\_| |_|  |___/

  https://secapps.com

```

> **NB**: This tool is taking advantage of http://requestbin.net service. Future versions will use a dedicated, custom-built infrastructure.

## Quickstart

This tool is meant to be used as part of [Pown.js](https://github.com/pownjs/pown) but it can be invoked separately as an independent tool.

Install Pown first as usual:

```sh

$ npm install -g pown@latest

```

Invoke directly from Pown:

```sh

$ pown duct

```

Otherwise, install this module locally from the root of your project:

```sh

$ npm install @pown/duct --save

```

Once done, invoke pown cli:

```sh

$ ./node_modules/.bin/pown-cli duct

```

You can also use the global pown to invoke the tool locally:

```sh

$ POWN_ROOT=. pown duct

```

## Usage

```

pown duct 

Side-channel attack enabler

Commands:

  pown duct dns  DNS ducting

Options:

  --version  Show version number  [boolean]

  --help     Show help  [boolean]

```

### `pown duct dns`

```

pown duct dns

DNS ducting

Options:

  --version  Show version number  [boolean]

  --help     Show help  [boolean]

  --channel  Restore channel  [string]

  --output   Output format  [string] [choices: "string", "hexdump", "json"] [default: "string"]

```

## Tutorial

There are cases when we need to perform an attack such as sql injection, XSS, XXE or SSRF but the target application is not providing any indication that it is vulnerable. One way to be sure if a vulnerability is present is to try to inject a valid attack vector which forces a DNS resolver to ask for a controlled domain. If the resolution is successful, the attack will be considered successful.

> **NOTE**: You might be familiar with Burp Collaborator which provides a similar service for customers.

First, we need a disposable dns name to resolve:

```sh

$ pown duct dns

```

![screenshot](https://media.githubusercontent.com/media/pownjs/pown-duct/master/screenshots/01.png)

Using the provided DNS, compose your payload. For example, the following could trigger a DNS resolution if a XXE vulnerability is present.

```xml

]>

&bar;

```

If the attack was successful, we will get a message in the terminal.

![screenshot](https://media.githubusercontent.com/media/pownjs/pown-duct/master/screenshots/02.png)